DHS Issues More Urgent Warning on DNS Hijacking

The U.S. Department of Homeland Security's building in Washington (Source: Wikipedia/CC)

The U.S. Department of Homeland Security says executive branch agencies are being targeted by attacks aimed at modifying Domain Name System records, which are critical for locating websites and services.

On Tuesday, DHS issued an emergency directive giving government agencies 10 days to verify that their DNS records are accurate. That directive comes after a "series" of incidents that have redirected internet and email traffic, the agency says.

DHS's Cybersecurity and Infrastructure Security Agency "is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them," the directive says.

Cyberattacks that target DNS systems are particularly powerful. Modifying a DNS record can allow an attacker to see traffic flowing to a particular website or service or mount effective phishing attacks to collect login credentials.

It's also possible to set a different IP address for a domain name than the legitimate IP address, a clever ruse that is nearly undetectable to end users. Even if the domain name is typed correctly in a browser, the victim is shuffled to the bogus service that may look completely legitimate, especially with a freshly generated TLS/SSL certificate.

The warning comes amid a partial government shutdown that is stretching into its second month with no resolution in sight. While critical cybersecurity monitoring services are running, experts say a prolong shutdown will invariably have a long-term effect on readiness (see: Government Shutdown: Experts Fear Deep Cybersecurity Impact).

DNS Attacks: Back in Style

The upgraded warning comes after FireEye and Cisco's Talos intelligence unit noticed an uptick of DNS-related attacks, particularly in the Middle East.

Earlier this month, FireEye wrote about a wave of DNS hijacking attacks "affecting government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America."

The attackers aimed to compromise DNS records in order to eventually capture login and domain credentials, FireEye writes. Although it wasn't able to identify the attackers, its research "suggests the actor or actors responsible have a nexus to Iran."

"This campaign has targeted victims across the globe on an almost unprecedented scale with a high degree of success," FireEye says. "This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization's network."

A day after FireEye's blog post, DHS issued its first warning about DNS hijacking. In November 2018, Cisco's Talos wrote about the same style of attack, also in the Middle East.

Lebanon's Finance Ministry saw its email redirected as a result of a malicious DNS attack, according to a Talos blog post. Also in the UAE, Talos found that a law enforcement agency, the Telecommunication Regulatory Authority and Middle East Airlines, a Lebanese carrier, were struck by similar attacks.

The redirection destinations all carried digital certificates that the attackers generated from Let's Encrypt, the not-for-profit project dedicated to increasing the use of TLS/SSL certificates, Talos writes. Generating a fresh digital certificate for the redirected domain help ensure there is no warning from the browser that a service lack encryption that would raise suspicions.

Let's Encrypt offers free domain-validated TLS/SSL certificates in an effort to bolster encryption across the web.

The attacks appeared aimed at intercepting email and VPN traffic and perhaps credentials for those services, Talos says. The perpetrator was "an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon," the company reports.

Call to Action

CISA is recommending that government agencies check all authoritative and secondary DNS servers to ensure that A records, mail exchange and name server settings are accurate.

One of the common ways attackers can change records is by snagging the login credentials for DNS accounts. CISA recommends that those passwords be changed.

A DNS hijack "is difficult to defend against, because valuable information can be stolen even if an attacker is never able to get direct access to your organization's network."—FireEye

CISA is also mandating that two-factor authentication be enabled for those accounts. If that can't be done, CISA wants agencies to report "the names of systems, why it cannot be enabled within the required timeline and when it could be enabled."

The other important tip is to monitor Certificate Transparency logs for new certificates that have been created for government domains. That's one way to detect something strange is afoot.

"Upon receipt, agencies shall immediately begin monitoring CT log data for certificates issued that they did not request," CISA says. "If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.